Tuesday, March 26, 2013

Malware Retrospective - Infected Chinese Servers Deploy Metasploit Exploits

It's been a time that our team blogged about malware and other interesting information. Today, we got some time to talk about one of the case that we analyzed while testing a few tools of our own. We prefer to construct custom scripts and tools to automate the process of web malware analysis. Recently, we tested our tool, a simple parser which fetches the scripts, iframes, embed tags present in the remote web pages for faster analysis. We came across a set of malicious domains that were serving an exploit which used JavaScript heap spraying technique to execute payload using drive-by download attack. Well, that's a common technique of silent browser exploitation. But, what was not common is the issue that is discussed below.

The malware domain was hosting an exploit for MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption. More details can be read here: MS12-043. Without any surprise, the IP address of that domain belonged to China as shown below:

Our surprise did not end here. As the exploit of this vulnerability was released last year, it raised our interest to check how the exploit code is structured.  When the exploit code was traced, it was nothing more than a sweet shock. The Chinese domain used the same exploit code hosted on the Metasploit repository for the concerned vulnerability. Now the question: Is it possible that Chinese malware authors simply deploy Metasploit exploits for easy infection process? It could be. Who knows whether the domain was infected by Chinese or it belonged to others. In addition, it is hard to say who hosted that malware but clearly, the servers were present in China.

The exploit for this vulnerability can be found in Metasploit here: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb.

A simple check on the one of the code snippet used in the malware domain and legitimate Metasploit repository is shown below:


The exploit code was used in conjunction with the JS code hosted here: http://js.users.51.la/15240615.js.

This code dynamically generates the information about the visitor and creates log details for statistical purposes.

We remember that a few traces have been detected earlier where Phoenix exploit kit used the one of  the same exploit present in the Metasploit. Refer: Gangsterware

The conclusive points are:

  • Metasploit provides neat exploits which are easy to deploy and use.
  • The evidence shows that malware authors are using Metasploit exploits.

Well, Reality bites !